rules: - name: GitHub Personal Access Token - fine-grained permissions id: kingfisher.github.1 pattern: | (?x) ( (?Pgithub_pat_[0-9][A-Za-z0-9]{21}_[A-Za-z0-9]{43}) (?P[A-Za-z2-7]{8}) [A-Za-z0-9]{8} ) \b pattern_requirements: min_digits: 2 min_lowercase: 2 checksum: actual: template: "{{ checksum }}" requires_capture: checksum expected: "{{ body | sha256_b32: 8 }}" skip_if_missing: true min_entropy: 3.5 examples: - "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" references: - https://docs.github.com/en/rest/users?apiVersion=2022-11-28 validation: type: Http content: request: method: GET url: '{{ GITHUB_API_BASE_URL }}/user' headers: Authorization: token {{ TOKEN }} Accept: application/vnd.github+json response_matcher: - report_response: true - match_all_words: true type: WordMatch words: - '"login"' - '"id"' revocation: type: Http content: request: method: POST url: '{{ GITHUB_API_BASE_URL }}/credentials/revoke' headers: Accept: application/vnd.github+json X-GitHub-Api-Version: 2026-03-10 Content-Type: application/json body: '{"credentials":["{{ TOKEN }}"]}' response_matcher: - report_response: true - type: StatusMatch status: [202] - name: GitHub Personal Access Token id: kingfisher.github.2 pattern: | (?x) ( ghp_(?P[A-Za-z0-9]{30})(?P[A-Za-z0-9]{6}) ) pattern_requirements: min_digits: 2 min_lowercase: 2 checksum: actual: template: "{{ checksum }}" requires_capture: checksum expected: "{{ body | crc32 | base62: 6 }}" skip_if_missing: true min_entropy: 3.5 examples: - "GITHUB_KEY=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" - "let g:gh_token='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'" - | ## git developer settings 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 references: - https://docs.github.com/en/rest/users?apiVersion=2022-11-28 validation: type: Http content: request: method: GET url: '{{ GITHUB_API_BASE_URL }}/user' headers: Authorization: token {{ TOKEN }} Accept: application/vnd.github+json response_matcher: - report_response: true - match_all_words: true type: WordMatch words: - '"login"' - '"id"' revocation: type: Http content: request: method: POST url: '{{ GITHUB_API_BASE_URL }}/credentials/revoke' headers: Accept: application/vnd.github+json X-GitHub-Api-Version: 2026-03-10 Content-Type: application/json body: '{"credentials":["{{ TOKEN }}"]}' response_matcher: - report_response: true - type: StatusMatch status: [202] - name: GitHub OAuth Access Token id: kingfisher.github.3 pattern: | (?x) ( gho_(?P[A-Za-z0-9]{30})(?P[A-Za-z0-9]{6}) ) pattern_requirements: min_digits: 2 checksum: actual: template: "{{ checksum }}" requires_capture: checksum expected: "{{ body | crc32 | base62: 6 }}" skip_if_missing: true min_entropy: 3.5 confidence: medium examples: - ' "url": "git+https://FelipeMestre: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@github.com/gontarz/PW_2021_Website-FelipeMestre.git"' - ' oauth_token: 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' references: - https://docs.github.com/en/rest/users?apiVersion=2022-11-28 validation: type: Http content: request: method: GET url: '{{ GITHUB_API_BASE_URL }}/user' headers: Authorization: token {{ TOKEN }} Accept: application/vnd.github+json response_matcher: - report_response: true - match_all_words: true type: WordMatch words: - '"login"' - '"id"' revocation: type: Http content: request: method: POST url: '{{ GITHUB_API_BASE_URL }}/credentials/revoke' headers: Accept: application/vnd.github+json X-GitHub-Api-Version: 2026-03-10 Content-Type: application/json body: '{"credentials":["{{ TOKEN }}"]}' response_matcher: - report_response: true - type: StatusMatch status: [202] - name: GitHub App User-to-Server Token id: kingfisher.github.4 pattern: | (?x) ( ghu_(?P[A-Za-z0-9]{30})(?P[A-Za-z0-9]{6}) ) pattern_requirements: checksum: actual: template: "{{ checksum }}" requires_capture: checksum expected: "{{ body | crc32 | base62: 6 }}" skip_if_missing: true examples: - ' "token": "ghu_TIOHHEVefAwRonSMALCFfWMYK0un1R1dj2rn",' - | Example usage: git clone http://ghu_imqBAXUtRirzzcJPwAiqImhkzsvzYZ1eDtPf@github.com/username/repo.git references: - https://docs.github.com/en/rest/users?apiVersion=2022-11-28 validation: type: Http content: request: method: GET url: '{{ GITHUB_API_BASE_URL }}/user' headers: Authorization: token {{ TOKEN }} Accept: application/vnd.github+json response_matcher: - report_response: true - match_all_words: true type: WordMatch words: - '"login"' - '"id"' revocation: type: Http content: request: method: POST url: '{{ GITHUB_API_BASE_URL }}/credentials/revoke' headers: Accept: application/vnd.github+json X-GitHub-Api-Version: 2026-03-10 Content-Type: application/json body: '{"credentials":["{{ TOKEN }}"]}' response_matcher: - report_response: true - type: StatusMatch status: [202] - name: GitHub App Server-to-Server Token id: kingfisher.github.5 pattern: | (?x) ( ghs_(?P[A-Za-z0-9]{30})(?P[A-Za-z0-9]{6}) ) examples: - ' "token": "ghs_16C7e42F292c69C2E7C10c838347Ae178B4a",' - | Example usage: git clone http://ghs_RguXIkihJjwHAP6eXEYxaPNvywurTr5IOAbg@github.com/username/repo.git references: - https://docs.github.com/en/rest/users?apiVersion=2022-11-28 validation: type: Http content: request: method: GET url: '{{ GITHUB_API_BASE_URL }}/user' headers: Authorization: token {{ TOKEN }} Accept: application/vnd.github+json response_matcher: - report_response: true - match_all_words: true type: WordMatch words: - '"login"' - '"id"' revocation: type: Http content: request: method: DELETE url: '{{ GITHUB_API_BASE_URL }}/installation/token' headers: Authorization: token {{ TOKEN }} Accept: application/vnd.github+json response_matcher: - report_response: true - type: StatusMatch status: [204] - name: GitHub Refresh Token id: kingfisher.github.6 pattern: | (?x) ( ghr_(?P[A-Za-z0-9]{70})(?P[A-Za-z0-9]{6}) ) pattern_requirements: checksum: actual: template: "{{ checksum }}" requires_capture: checksum expected: "{{ body | crc32 | base62: 6 }}" skip_if_missing: true examples: - ' "refresh_token": "ghr_xgrrGzSbbGRL34Wp39JU9nxtN27Pr1v1He8FjE7x7wbExGGs7nfJszJDAmZuoKasxZ0KxJ1HSzgc",' references: - https://docs.github.com/en/rest/users?apiVersion=2022-11-28 validation: type: Http content: request: method: GET url: '{{ GITHUB_API_BASE_URL }}/user' headers: Authorization: token {{ TOKEN }} Accept: application/vnd.github+json response_matcher: - report_response: true - match_all_words: true type: WordMatch words: - '"login"' - '"id"' revocation: type: Http content: request: method: POST url: '{{ GITHUB_API_BASE_URL }}/credentials/revoke' headers: Accept: application/vnd.github+json X-GitHub-Api-Version: 2026-03-10 Content-Type: application/json body: '{"credentials":["{{ TOKEN }}"]}' response_matcher: - report_response: true - type: StatusMatch status: [202] - name: GitHub Client ID id: kingfisher.github.7 pattern: | (?xi) (?:github) .? (?: api | app | application | client | consumer | customer )? .? (?: id | identifier | key ) .{0,2} \s{0,20} .{0,2} \s{0,20} .{0,2} \b ([a-z0-9]{20}) \b visible: false examples: - | GITHUB_CLIENT_ID=ac58d6da7d7a84c039b7 GITHUB_SECRET=37d02377a3e9d849e18704c3ec883f9c5787d857 - name: GitHub Legacy Secret Key id: kingfisher.github.8 pattern: | (?xi) \b (?:github|gh) (?:.|[\n\r]){0,4}? (?:oauth|pat|token|key|secret|api[_-]?key|access[_-]?token)\b (?:.|[\n\r]){0,32}? \b ( [a-z0-9]{40} ) \b depends_on_rule: - rule_id: "kingfisher.github.5" variable: GITHUB_CLIENT_ID validation: type: Http content: request: method: POST url: '{{ GITHUB_WEB_BASE_URL }}/login/oauth/access_token' headers: Accept: "application/json" Content-Type: "application/json" body: '{"client_id":"{{GITHUB_CLIENT_ID}}","client_secret":"{{TOKEN}}","code":"invalid_code"}' response_matcher: - report_response: true - type: StatusMatch status: [200] - type: WordMatch words: - '"error":"bad_verification_code"' examples: - | GITHUB_CLIENT_ID=ac58d6da7d7a84c039b7 GITHUB_SECRET=37d02377a3e9d849e18704c3ec883f9c5787d857 - name: GitHub App Server-to-Server Token (stateless JWT format) id: kingfisher.github.9 pattern: | (?x) ( ghs_[0-9]+_ [A-Za-z0-9_-]+ \. [A-Za-z0-9_-]+ \. [A-Za-z0-9_-]+ ) min_entropy: 3.5 examples: - 'ghs_12345_eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NDU1NjgwMDAsImV4cCI6MTc0NTU2ODM2MCwiaXNzIjoiMTIzNDUiLCJzdWIiOiJnaXRodWJ8MTIzNDUifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c' references: - https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app - https://github.com/mongodb/kingfisher/issues/359 validation: type: Http content: request: method: GET url: '{{ GITHUB_API_BASE_URL }}/user' headers: Authorization: token {{ TOKEN }} Accept: application/vnd.github+json response_matcher: - report_response: true - match_all_words: true type: WordMatch words: - '"login"' - '"id"' revocation: type: Http content: request: method: DELETE url: '{{ GITHUB_API_BASE_URL }}/installation/token' headers: Authorization: token {{ TOKEN }} Accept: application/vnd.github+json response_matcher: - report_response: true - type: StatusMatch status: [204]